HL7 May 2018 WGM MINUTES - Cologne, Germany

Monday Q3

Joint CBCP - Security

Monday Q4

Joint CBCP - Security

Tuesday Q1

Opening Security WG Meeting


  • Trish Williams
  • John Moehrke
  • Alexander Mense
  • Kathleen Connor
  • Hideyuki Miyohara HL7 Japan
  • David Pyke

Chaired by Alex

1. Introductions

2. Approval of agenda

  • Discussion on content in relation to Blockchain and its potential impact. This will be included in the agenda and discussion of the potential use cases.

Proposed - Kathleen Seconded - John Approved: 5:0:0

3. International Report outs (given at meeting with CBCP Monday Q3)

  • Japan: In 2020, Japan will have a full patient national ID.
  • EU: * EU NIS (cybersecurity) directive deadline for national transposition into law was last week. Many countries (Austria) have missed the deadline. There for in Austria only critical infrastructure is applicable.
  • Australia: Privacy breaches reporting has begun in Australia, 25% were healthcare providers
  • Canada has begun requiring statistics collection of Privacy breaches, the privacy commissioner will report out nationally
  • In the US, ransomware is a breach
  • Switzerland: Launched a working model for a national HIE based on an upcoming new restricted national ID and IHE profiles. Double opt-in (clinicians and patients may) should be live by 2022. Privacy restrictions will be patient based. Documentation will be sent to the CBCP list

4. Liaison Reports: ISO, IHE, ONC

  • ISO (Hide): ISO: Audit trail discussions (27789 Audit Trail for EHR) Change proposal to keep conformance with ATNA, etc. Some vocabulary, such as purpose of use, is not harmonized among SDOs. ISO will harmonize/constrain/map these vocabularies as part of their process. Presentation on recent ISO Meeting in Brazil. Presentation on SEC WG Homepage (Documents and Presentations).
  • OASIS : No report
  • IHE: AS4 Security has been mandated and IHE is setting up a new Document Sharing set of options based on AS4 requirements.

5. FHIR Security Report out - John Moehrke

6. HL7 Project status and updates:

    • Trust Framework for Federated Authorization (TF4FA) Ballot outcomes and reconciliation plans - Kathleen for Mike Davis and Chris Shawn
    • TF4FA Volume 3 for Audit, Provenance, and Blockchain Development Plans - Kathleen for Mike Davis and Chris Shawn
    • Is Privacy Obsolete Study Group -Kathleen for Mike Davis
    • DAM Need to progress to publication, was not completed from last meeting as new information in form was required. Alex and Trish to progress.
    • Status of PASS Audit
      • At the request of SOA, the status of PASS Audit has been requested as this is still sitting at reconciliation for the normative publication. SEC WG will request Mike to clarify what content for PSAF is in relation to PASS Audit.
      • All PASS projects need to be with SEC not SOA. This was historical but it now makes more sense for the PASS work to sit with SEC. Trish and Alex to talk to Dave Hamill and SOA about making this happen.

Tuesday Q2

Joint with CBCP - FHIR Connectathon Report Out/July Harmonization


  • Trish Williams
  • John Moehrke
  • Alexander Mense
  • Kathleen Connor
  • Hideyuki Miyohara HL7 Japan
  • David Pyke

1.FHIR support of GDPR - See GDPR SEC special wiki page

2. July Harmonization Focus

    • Sharing with Protections - TEFCA Minimum Necessary given expanded Purposes of Use and need to establish Legitimate Relationships - Provisioning with ABAC Clearances & Security Labels
    • Possible GDPR Security Label vocabulary - Kathleen

2. Findings from Cologne GDPR and Blockchain Connectathon Tracks

3. EU Security Items - TBD

Tuesday Q3

Joint CBCP, Hosting Security

    • Brian Postlethwaite regarding new PSS - Proposal for new VerficationResult resource:
      • The VerificationResult resource records the details and results of a resource that needs to be, or has been verified by multiple parties. It does not represent the workflows or tasks related, but does cover the who did what when, why, and when it needs to be done again.
      • This is in contrast to the AuditEvent which could record that a resource was received from someone, and the Provenance that records who it came from.
      • It was considered to be implemented as a profile on Provenance, however this seems to be different in scope in that its includes details of the verification.

Discussion about whether this is too similar to Provenance as to make this inappropriate. This would stretch the meaning of Provenance resource. The outcomes was that Provenance is not a suitable substitute or resource for the intent of the use for VerificationResult. This new resource is about metadata of the process not exactly the same content as for Provenance - which omits how, when and why future verification is done. The question is that if there is confusion over the resource, because of similarity, this would need to be made clear so it was not misused in place of Provenance.

Where the scope, content and boundaries require, the Provence resource will point to the VerificationResult resource, and the Security webpages will be updated to reflect this.

    • Report out on FHIR Privacy and Security ballot outcomes - Dave and John

Tuesday Q4

Security TF4FA Ballot Reconciliation Work Session


Chaired by

Wednesday Q1

Joint with EHR, CBCP, FHIR, SOA, Security(EHR hosting)

Includes discussion about:

  • Standards support for key GDPR Policies - Rene Spronk
  • TF4FA Ballot Outcome and Next Steps - Kathleen for Mike Davis and Chris Shawn

Wednesday Q2

No meeting

Wednesday Q3

Security WG deep FHIR topics


Chaired by

Wednesday Q4

Security WG European Privacy and Security Issues Meeting


Chaired by

Thursday Q1

Security hosting CBCP, FHIR-I Joint


Chaired by

1. FHIR Security Agenda TBD

Thursday Q1

Security WG Admin Meeting


Chaired by

  • Workgroup Health Update - Cochairs
  • See PBS Metrics 2018May Interim Report Need to publish S&P DAM May 2014 Informative Ballot
  • S&P DAM May 2014 - still needs publication request to complete this missing WG Health Item
  • Governance Documents - Cochairs
  • 3 Year Plan Refresh - Cochairs
  • WGM Minutes Drafting - Cochairs
  • Conference Call Scheduling - Cochairs